* [PATCH wireless-next] wifi: rt2x00: Allocate LED names dynamically
@ 2026-05-17 23:17 Rosen Penev
2026-05-17 23:24 ` Rosen Penev
2026-05-18 7:40 ` Stanislaw Gruszka
0 siblings, 2 replies; 3+ messages in thread
From: Rosen Penev @ 2026-05-17 23:17 UTC (permalink / raw)
To: linux-wireless; +Cc: Stanislaw Gruszka, open list
The rt2x00 LED registration path builds LED class names from the
driver and wiphy names. A fixed stack buffer can truncate those names
before they are passed to the LED core.
Allocate each LED name with kasprintf(), check allocation failures, and
release the stored name when the LED is unregistered.
Assisted-by: Codex:GPT-5.5
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
.../net/wireless/ralink/rt2x00/rt2x00leds.c | 30 ++++++++++++++-----
1 file changed, 23 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c b/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
index f5361d582d4e..8818e0b2447b 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
@@ -100,6 +100,8 @@ static int rt2x00leds_register_led(struct rt2x00_dev *rt2x00dev,
retval = led_classdev_register(device, &led->led_dev);
if (retval) {
+ kfree(name);
+ led->led_dev.name = NULL;
rt2x00_err(rt2x00dev, "Failed to register led handler\n");
return retval;
}
@@ -111,15 +113,19 @@ static int rt2x00leds_register_led(struct rt2x00_dev *rt2x00dev,
void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
{
- char name[36];
+ char *name;
int retval;
unsigned long on_period;
unsigned long off_period;
const char *phy_name = wiphy_name(rt2x00dev->hw->wiphy);
if (rt2x00dev->led_radio.flags & LED_INITIALIZED) {
- snprintf(name, sizeof(name), "%s-%s::radio",
- rt2x00dev->ops->name, phy_name);
+ name = kasprintf(GFP_KERNEL, "%s-%s::radio",
+ rt2x00dev->ops->name, phy_name);
+ if (!name) {
+ retval = -ENOMEM;
+ goto exit_fail;
+ }
retval = rt2x00leds_register_led(rt2x00dev,
&rt2x00dev->led_radio,
@@ -129,8 +135,12 @@ void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
}
if (rt2x00dev->led_assoc.flags & LED_INITIALIZED) {
- snprintf(name, sizeof(name), "%s-%s::assoc",
- rt2x00dev->ops->name, phy_name);
+ name = kasprintf(GFP_KERNEL, "%s-%s::assoc",
+ rt2x00dev->ops->name, phy_name);
+ if (!name) {
+ retval = -ENOMEM;
+ goto exit_fail;
+ }
retval = rt2x00leds_register_led(rt2x00dev,
&rt2x00dev->led_assoc,
@@ -140,8 +150,12 @@ void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
}
if (rt2x00dev->led_qual.flags & LED_INITIALIZED) {
- snprintf(name, sizeof(name), "%s-%s::quality",
- rt2x00dev->ops->name, phy_name);
+ name = kasprintf(GFP_KERNEL, "%s-%s::quality",
+ rt2x00dev->ops->name, phy_name);
+ if (!name) {
+ retval = -ENOMEM;
+ goto exit_fail;
+ }
retval = rt2x00leds_register_led(rt2x00dev,
&rt2x00dev->led_qual,
@@ -182,6 +196,8 @@ static void rt2x00leds_unregister_led(struct rt2x00_led *led)
led->led_dev.brightness_set(&led->led_dev, LED_OFF);
led->flags &= ~LED_REGISTERED;
+ kfree(led->led_dev.name);
+ led->led_dev.name = NULL;
}
void rt2x00leds_unregister(struct rt2x00_dev *rt2x00dev)
--
2.54.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH wireless-next] wifi: rt2x00: Allocate LED names dynamically
2026-05-17 23:17 [PATCH wireless-next] wifi: rt2x00: Allocate LED names dynamically Rosen Penev
@ 2026-05-17 23:24 ` Rosen Penev
2026-05-18 7:40 ` Stanislaw Gruszka
1 sibling, 0 replies; 3+ messages in thread
From: Rosen Penev @ 2026-05-17 23:24 UTC (permalink / raw)
To: linux-wireless; +Cc: Stanislaw Gruszka, open list
On Sun, May 17, 2026 at 4:18 PM Rosen Penev <rosenp@gmail.com> wrote:
>
> The rt2x00 LED registration path builds LED class names from the
> driver and wiphy names. A fixed stack buffer can truncate those names
> before they are passed to the LED core.
>
> Allocate each LED name with kasprintf(), check allocation failures, and
> release the stored name when the LED is unregistered.
>
> Assisted-by: Codex:GPT-5.5
I got a crash from this driver:
[11292.387895] ieee80211 phy2: rt2x00_set_rt: Info - RT chipset 3070,
rev 0201 detected
[11293.065970] ieee80211 phy2: rt2x00_set_rf: Info - RF chipset 0005 detected
[11293.072037] ieee80211 phy2: Selected rate control algorithm 'minstrel_ht'
[11293.105170] ieee80211 phy2: rt2x00lib_request_firmware: Info -
Loading firmware file 'rt2870.bin'
[11293.105237] ieee80211 phy2: rt2x00lib_request_firmware: Info -
Firmware detected - version: 0.36
[11296.194097] usb 1-11: USB disconnect, device number 6
[11296.196552] ieee80211 phy2: rt2x00usb_vendor_request: Error -
Vendor Request 0x06 failed for offset 0x101c with error -19
[11301.161824] BUG: unable to handle page fault for address: ffffffffffffff08
[11301.161830] #PF: supervisor read access in kernel mode
[11301.161833] #PF: error_code(0x0000) - not-present page
[11301.161835] PGD ea3a27067 P4D ea3a27067 PUD ea3a29067 PMD 0
[11301.161842] Oops: Oops: 0000 [#1] SMP NOPTI
[11301.161847] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted
7.0.8-arch1-1 #1 PREEMPT(full)
c2ec282795e9f47cb8bc86f69b5629c84ae881f4
[11301.161851] Hardware name: To Be Filled By O.E.M. X370 Professional
Gaming/X370 Professional Gaming, BIOS P7.30 10/27/2022
[11301.161854] RIP: 0010:led_blink_set_nosleep+0x1a/0xa0
[11301.161860] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
f3 0f 1e fa 0f 1f 44 00 00 53 48 89 fb 48 83 ec 10 48 89 74 24 08 48
89 14 24 <48> 83 7f 38 00 74 07 48 83 7f 28 00 75 35 48 8d bb 88 00 00
00 e8
[11301.161863] RSP: 0018:ffffc9fc80003d88 EFLAGS: 00010286
[11301.161867] RAX: 0000000000000000 RBX: fffffffffffffed0 RCX: ffffffffc232c4f8
[11301.161869] RDX: 0000000000000000 RSI: 0000000000000001 RDI: fffffffffffffed0
[11301.161871] RBP: ffff89714752de40 R08: ffff8975fef1f2c0 R09: 0000000100a7df80
[11301.161873] R10: 0000000000000201 R11: 0000000000000000 R12: 0000000000000001
[11301.161875] R13: 0000000000000000 R14: ffffc9fc80003e10 R15: ffff8975fef1f2c0
[11301.161877] FS: 0000000000000000(0000) GS:ffff897645967000(0000)
knlGS:0000000000000000
[11301.161880] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[11301.161882] CR2: ffffffffffffff08 CR3: 00000001191d1000 CR4: 0000000000f50ef0
[11301.161884] PKRU: 55555554
[11301.161887] Call Trace:
[11301.161889] <IRQ>
[11301.161893] led_trigger_blink+0x55/0x90
[11301.161898] ? __pfx_tpt_trig_timer+0x10/0x10 [mac80211
43d2d2695e6be7042340c3321c2c597aa1cd7f70]
[11301.161944] ? __pfx_tpt_trig_timer+0x10/0x10 [mac80211
43d2d2695e6be7042340c3321c2c597aa1cd7f70]
[11301.161980] call_timer_fn+0x2a/0x140
[11301.161986] __run_timers+0x269/0x330
[11301.161993] timer_expire_remote+0x47/0x60
[11301.161997] tmigr_handle_remote+0x498/0x570
[11301.162005] handle_softirqs+0xe8/0x2c0
[11301.162011] __irq_exit_rcu+0xc9/0xf0
[11301.162015] sysvec_apic_timer_interrupt+0x71/0x90
[11301.162020] </IRQ>
[11301.162022] <TASK>
[11301.162024] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[11301.162028] RIP: 0010:cpuidle_enter_state+0xbb/0x440
[11301.162032] Code: 00 00 e8 c8 ec ec fe e8 93 ee ff ff 48 89 c5 0f
1f 44 00 00 31 ff e8 04 41 eb fe 45 84 ff 0f 85 74 01 00 00 fb 0f 1f
44 00 00 <45> 85 f6 0f 88 cb 01 00 00 44 89 f1 48 2b 2c 24 48 6b d1 68
48 89
[11301.162034] RSP: 0018:ffffffffb8403e10 EFLAGS: 00000246
[11301.162037] RAX: ffff897645967000 RBX: 0000000000000002 RCX: 0000000000000000
[11301.162039] RDX: 00000a4741bc4107 RSI: fffffffb5c704741 RDI: 0000000000000000
[11301.162041] RBP: 00000a4741bc4107 R08: ffff897645967000 R09: ffffffffb8619920
[11301.162043] R10: ffff8975fea217c0 R11: 0000000000000001 R12: ffff896702508800
[11301.162045] R13: ffffffffb8619920 R14: 0000000000000002 R15: 0000000000000000
[11301.162052] cpuidle_enter+0x31/0x50
[11301.162057] do_idle+0x14b/0x2a0
[11301.162063] cpu_startup_entry+0x29/0x30
[11301.162067] rest_init+0xcc/0xd0
[11301.162071] start_kernel+0xa5b/0xa70
[11301.162077] x86_64_start_reservations+0x24/0x30
[11301.162082] x86_64_start_kernel+0xda/0xe0
[11301.162086] common_startup_64+0x13e/0x141
[11301.162094] </TASK>
[11301.162096] Modules linked in: rt2800usb rt2x00usb rt2800lib
rt2x00lib rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm
algif_aead des3_ede_x86_64 des_generic libdes cmac algif_skcipher md4
bnep algif_hash af_alg vfat fat amd_atl intel_rapl_msr
intel_rapl_common snd_hda_codec_alc882 snd_hda_codec_realtek_lib
snd_hda_codec_generic snd_hda_codec_atihdmi snd_hda_codec_hdmi
snd_hda_intel uvcvideo iwlmvm videobuf2_vmalloc kvm_amd snd_hda_codec
uvc snd_hda_core videobuf2_memops snd_intel_dspcfg videobuf2_v4l2
mac80211 btusb kvm snd_intel_sdw_acpi videobuf2_common btmtk snd_hwdep
btrtl videodev ee1004 libarc4 snd_pcm btbcm irqbypass igb atlantic
btintel snd_timer sp5100_tco mc mousedev iwlwifi wmi_bmof rapl macsec
dca snd mxm_wmi i2c_piix4 ptp pcspkr bluetooth soundcore k10temp
pps_core i2c_smbus gpio_amdpt gpio_generic mac_hid cfg80211 rfkill
crypto_user uinput pkcs8_key_parser i2c_dev ntsync nfnetlink zram
842_decompress 842_compress lz4hc_compress lz4_compress dm_crypt
encrypted_keys trusted asn1_encoder tee
[11301.162195] dm_mod hid_logitech_hidpp amdgpu amdxcp i2c_algo_bit
drm_ttm_helper ttm drm_exec drm_panel_backlight_quirks gpu_sched
drm_suballoc_helper video drm_buddy sr_mod nvme drm_display_helper
hid_logitech_dj cdrom nvme_core ghash_clmulni_intel cec aesni_intel
nvme_keyring ccp nvme_auth hkdf wmi thunderbolt
[11301.162227] CR2: ffffffffffffff08
[11301.162230] ---[ end trace 0000000000000000 ]---
[11301.162232] RIP: 0010:led_blink_set_nosleep+0x1a/0xa0
[11301.162236] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
f3 0f 1e fa 0f 1f 44 00 00 53 48 89 fb 48 83 ec 10 48 89 74 24 08 48
89 14 24 <48> 83 7f 38 00 74 07 48 83 7f 28 00 75 35 48 8d bb 88 00 00
00 e8
[11301.162238] RSP: 0018:ffffc9fc80003d88 EFLAGS: 00010286
[11301.162241] RAX: 0000000000000000 RBX: fffffffffffffed0 RCX: ffffffffc232c4f8
[11301.162243] RDX: 0000000000000000 RSI: 0000000000000001 RDI: fffffffffffffed0
[11301.162245] RBP: ffff89714752de40 R08: ffff8975fef1f2c0 R09: 0000000100a7df80
[11301.162247] R10: 0000000000000201 R11: 0000000000000000 R12: 0000000000000001
[11301.162249] R13: 0000000000000000 R14: ffffc9fc80003e10 R15: ffff8975fef1f2c0
[11301.162251] FS: 0000000000000000(0000) GS:ffff897645967000(0000)
knlGS:0000000000000000
[11301.162253] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[11301.162255] CR2: ffffffffffffff08 CR3: 00000001191d1000 CR4: 0000000000f50ef0
[11301.162258] PKRU: 55555554
[11301.162260] Kernel panic - not syncing: Fatal exception in interrupt
[11301.162414] Kernel Offset: 0x34c00000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
This AI kept trying to patch net/mac80211/led.c . I really don't think
the problem is there. It found this one in the driver itself. Although
it's probably not it either.
> Signed-off-by: Rosen Penev <rosenp@gmail.com>
> ---
> .../net/wireless/ralink/rt2x00/rt2x00leds.c | 30 ++++++++++++++-----
> 1 file changed, 23 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c b/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
> index f5361d582d4e..8818e0b2447b 100644
> --- a/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
> +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
> @@ -100,6 +100,8 @@ static int rt2x00leds_register_led(struct rt2x00_dev *rt2x00dev,
>
> retval = led_classdev_register(device, &led->led_dev);
> if (retval) {
> + kfree(name);
> + led->led_dev.name = NULL;
> rt2x00_err(rt2x00dev, "Failed to register led handler\n");
> return retval;
> }
> @@ -111,15 +113,19 @@ static int rt2x00leds_register_led(struct rt2x00_dev *rt2x00dev,
>
> void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
> {
> - char name[36];
> + char *name;
> int retval;
> unsigned long on_period;
> unsigned long off_period;
> const char *phy_name = wiphy_name(rt2x00dev->hw->wiphy);
>
> if (rt2x00dev->led_radio.flags & LED_INITIALIZED) {
> - snprintf(name, sizeof(name), "%s-%s::radio",
> - rt2x00dev->ops->name, phy_name);
> + name = kasprintf(GFP_KERNEL, "%s-%s::radio",
> + rt2x00dev->ops->name, phy_name);
> + if (!name) {
> + retval = -ENOMEM;
> + goto exit_fail;
> + }
>
> retval = rt2x00leds_register_led(rt2x00dev,
> &rt2x00dev->led_radio,
> @@ -129,8 +135,12 @@ void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
> }
>
> if (rt2x00dev->led_assoc.flags & LED_INITIALIZED) {
> - snprintf(name, sizeof(name), "%s-%s::assoc",
> - rt2x00dev->ops->name, phy_name);
> + name = kasprintf(GFP_KERNEL, "%s-%s::assoc",
> + rt2x00dev->ops->name, phy_name);
> + if (!name) {
> + retval = -ENOMEM;
> + goto exit_fail;
> + }
>
> retval = rt2x00leds_register_led(rt2x00dev,
> &rt2x00dev->led_assoc,
> @@ -140,8 +150,12 @@ void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
> }
>
> if (rt2x00dev->led_qual.flags & LED_INITIALIZED) {
> - snprintf(name, sizeof(name), "%s-%s::quality",
> - rt2x00dev->ops->name, phy_name);
> + name = kasprintf(GFP_KERNEL, "%s-%s::quality",
> + rt2x00dev->ops->name, phy_name);
> + if (!name) {
> + retval = -ENOMEM;
> + goto exit_fail;
> + }
>
> retval = rt2x00leds_register_led(rt2x00dev,
> &rt2x00dev->led_qual,
> @@ -182,6 +196,8 @@ static void rt2x00leds_unregister_led(struct rt2x00_led *led)
> led->led_dev.brightness_set(&led->led_dev, LED_OFF);
>
> led->flags &= ~LED_REGISTERED;
> + kfree(led->led_dev.name);
> + led->led_dev.name = NULL;
> }
>
> void rt2x00leds_unregister(struct rt2x00_dev *rt2x00dev)
> --
> 2.54.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH wireless-next] wifi: rt2x00: Allocate LED names dynamically
2026-05-17 23:17 [PATCH wireless-next] wifi: rt2x00: Allocate LED names dynamically Rosen Penev
2026-05-17 23:24 ` Rosen Penev
@ 2026-05-18 7:40 ` Stanislaw Gruszka
1 sibling, 0 replies; 3+ messages in thread
From: Stanislaw Gruszka @ 2026-05-18 7:40 UTC (permalink / raw)
To: Rosen Penev; +Cc: linux-wireless, open list
Hi,
On Sun, May 17, 2026 at 04:17:59PM -0700, Rosen Penev wrote:
> The rt2x00 LED registration path builds LED class names from the
> driver and wiphy names. A fixed stack buffer can truncate those names
> before they are passed to the LED core.
To properly justify the change you'll need to provide real world
example when the size is not sufficient.
> Allocate each LED name with kasprintf(), check allocation failures, and
> release the stored name when the LED is unregistered.
>
> Assisted-by: Codex:GPT-5.5
> Signed-off-by: Rosen Penev <rosenp@gmail.com>
> ---
> .../net/wireless/ralink/rt2x00/rt2x00leds.c | 30 ++++++++++++++-----
> 1 file changed, 23 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c b/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
> index f5361d582d4e..8818e0b2447b 100644
> --- a/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
> +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
> @@ -100,6 +100,8 @@ static int rt2x00leds_register_led(struct rt2x00_dev *rt2x00dev,
>
> retval = led_classdev_register(device, &led->led_dev);
> if (retval) {
> + kfree(name);
> + led->led_dev.name = NULL;
> rt2x00_err(rt2x00dev, "Failed to register led handler\n");
> return retval;
> }
> @@ -111,15 +113,19 @@ static int rt2x00leds_register_led(struct rt2x00_dev *rt2x00dev,
>
> void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
> {
> - char name[36];
> + char *name;
> int retval;
> unsigned long on_period;
> unsigned long off_period;
> const char *phy_name = wiphy_name(rt2x00dev->hw->wiphy);
>
> if (rt2x00dev->led_radio.flags & LED_INITIALIZED) {
> - snprintf(name, sizeof(name), "%s-%s::radio",
> - rt2x00dev->ops->name, phy_name);
> + name = kasprintf(GFP_KERNEL, "%s-%s::radio",
> + rt2x00dev->ops->name, phy_name);
> + if (!name) {
> + retval = -ENOMEM;
> + goto exit_fail;
> + }
This is overengineering. If needed, the name size can be increased.
Regards
Stanislaw
>
> retval = rt2x00leds_register_led(rt2x00dev,
> &rt2x00dev->led_radio,
> @@ -129,8 +135,12 @@ void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
> }
>
> if (rt2x00dev->led_assoc.flags & LED_INITIALIZED) {
> - snprintf(name, sizeof(name), "%s-%s::assoc",
> - rt2x00dev->ops->name, phy_name);
> + name = kasprintf(GFP_KERNEL, "%s-%s::assoc",
> + rt2x00dev->ops->name, phy_name);
> + if (!name) {
> + retval = -ENOMEM;
> + goto exit_fail;
> + }
>
> retval = rt2x00leds_register_led(rt2x00dev,
> &rt2x00dev->led_assoc,
> @@ -140,8 +150,12 @@ void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
> }
>
> if (rt2x00dev->led_qual.flags & LED_INITIALIZED) {
> - snprintf(name, sizeof(name), "%s-%s::quality",
> - rt2x00dev->ops->name, phy_name);
> + name = kasprintf(GFP_KERNEL, "%s-%s::quality",
> + rt2x00dev->ops->name, phy_name);
> + if (!name) {
> + retval = -ENOMEM;
> + goto exit_fail;
> + }
>
> retval = rt2x00leds_register_led(rt2x00dev,
> &rt2x00dev->led_qual,
> @@ -182,6 +196,8 @@ static void rt2x00leds_unregister_led(struct rt2x00_led *led)
> led->led_dev.brightness_set(&led->led_dev, LED_OFF);
>
> led->flags &= ~LED_REGISTERED;
> + kfree(led->led_dev.name);
> + led->led_dev.name = NULL;
> }
>
> void rt2x00leds_unregister(struct rt2x00_dev *rt2x00dev)
> --
> 2.54.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-18 7:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-17 23:17 [PATCH wireless-next] wifi: rt2x00: Allocate LED names dynamically Rosen Penev
2026-05-17 23:24 ` Rosen Penev
2026-05-18 7:40 ` Stanislaw Gruszka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox